IPVS: Creating netns size=2552 id=7 IPVS: Creating netns size=2552 id=8 BUG: using __this_cpu_add() in preemptible [00000000] code: syz-executor2/4422 caller is __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 CPU: 1 PID: 4422 Comm: syz-executor2 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 b5baf5aeb1043774 ffff8801d4a77800 ffffffff81d0278d 0000000000000001 ffffffff839fe3a0 ffffffff83cef6a0 ffff8801d4b80000 0000000000000003 ffff8801d4a77840 ffffffff81d626d4 ffffffff810002b8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] check_preemption_disabled+0x1d4/0x200 lib/smp_processor_id.c:46 [] ? 0xffffffff810002b8 [] __this_cpu_preempt_check+0x1c/0x20 lib/smp_processor_id.c:62 [] tcp_try_coalesce+0x249/0x4d0 net/ipv4/tcp_input.c:4278 [] tcp_queue_rcv+0x127/0x720 net/ipv4/tcp_input.c:4485 [] tcp_send_rcvq+0x39b/0x450 net/ipv4/tcp_input.c:4531 [] tcp_sendmsg+0x1e8f/0x2b10 net/ipv4/tcp.c:1134 [] inet_sendmsg+0x2bc/0x4c0 net/ipv4/af_inet.c:755 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:635 [] SYSC_sendto+0x2c8/0x340 net/socket.c:1665 [] SyS_sendto+0x40/0x50 net/socket.c:1633 [] entry_SYSCALL_64_fastpath+0x1c/0x98 TCP: request_sock_TCP: Possible SYN flooding on port 20006. Sending cookies. Check SNMP counters. capability: warning: `syz-executor1' uses 32-bit capabilities (legacy support in use) audit: type=1400 audit(1517133748.994:5): avc: denied { create } for pid=4626 comm="syz-executor2" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 mmap: syz-executor6 (4638) uses deprecated remap_file_pages() syscall. See Documentation/vm/remap_file_pages.txt. audit: type=1400 audit(1517133749.704:6): avc: denied { create } for pid=4706 comm="syz-executor5" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 skbuff: bad partial csum: csum=65535/65535 len=14 audit: type=1400 audit(1517133751.274:7): avc: denied { write } for pid=5077 comm="syz-executor1" path="socket:[11760]" dev="sockfs" ino=11760 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 0 PID: 5094 Comm: syz-executor7 Not tainted 4.4.113-g202e079 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 8375ff706022bdd9 ffff8800b622f6d0 ffffffff81d0278d ffff8800ba674780 1ffff10016c45ee7 ffff8800b622f858 0000000000000000 0000000000000000 ffff8800b622f880 ffffffff81605d55 ffffffff812363c0 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0xc1/0x124 lib/dump_stack.c:51 [] handle_userfault+0x715/0xf50 fs/userfaultfd.c:316 [] do_anonymous_page mm/memory.c:2731 [inline] [] handle_pte_fault mm/memory.c:3295 [inline] [] __handle_mm_fault mm/memory.c:3426 [inline] [] handle_mm_fault+0x2938/0x3190 mm/memory.c:3455 [] __do_page_fault+0x35b/0xa00 arch/x86/mm/fault.c:1245 [] do_page_fault+0x27/0x30 arch/x86/mm/fault.c:1308 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1033 [] vfs_ioctl fs/ioctl.c:43 [inline] [] do_vfs_ioctl+0x7aa/0xee0 fs/ioctl.c:607 [] SYSC_ioctl fs/ioctl.c:622 [inline] [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 [] entry_SYSCALL_64_fastpath+0x1c/0x98 tc_dump_action: action bad kind audit: type=1400 audit(1517133751.924:8): avc: denied { bind } for pid=5180 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 audit: type=1400 audit(1517133751.944:9): avc: denied { create } for pid=5186 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_crypto_socket permissive=1 IPv4: Oversized IP packet from 127.0.0.1 audit: type=1400 audit(1517133752.634:10): avc: denied { set_context_mgr } for pid=5415 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 keychord: unsupported version 0 keychord: unsupported version 0 binder: 5415:5440 ERROR: BC_REGISTER_LOOPER called without request audit: type=1400 audit(1517133752.704:11): avc: denied { setopt } for pid=5446 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_netfilter_socket permissive=1 binder: 5415:5440 got reply transaction with no transaction stack binder: 5415:5440 transaction failed 29201/-71, size 24-8 line 2921 binder: 5415:5462 IncRefs 0 refcount change on invalid ref 1 ret -22 audit: type=1400 audit(1517133752.774:12): avc: denied { call } for pid=5415 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder: undelivered TRANSACTION_ERROR: 29201 binder: release 5415:5445 transaction 1 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 1, target dead binder: 5415:5416 ERROR: BC_REGISTER_LOOPER called without request binder: 5415:5440 transaction failed 29189/-22, size 0-0 line 3005 binder: 5415:5416 got reply transaction with no transaction stack binder: 5415:5416 transaction failed 29201/-71, size 24-8 line 2921 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: BINDER_SET_CONTEXT_MGR already set binder: 5486:5508 ioctl 40046207 0 returned -16 binder: 5486:5489 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 5486:5508 Release 1 refcount change on invalid ref 0 ret -22 netlink: 224 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 224 bytes leftover after parsing attributes in process `syz-executor4'. sg_write: data in/out 327644/48 bytes for SCSI command 0x0-- guessing data in; program syz-executor3 not setting count and/or reply_len properly keychord: invalid keycode count 0 keychord: invalid keycode count 0 ALSA: seq fatal error: cannot create timer (-16) program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO program syz-executor2 is using a deprecated SCSI ioctl, please convert it to SG_IO binder: 6122:6125 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6122:6125 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: BINDER_SET_CONTEXT_MGR already set binder: 6122:6133 ioctl 40046207 0 returned -16 binder: 6122:6132 unknown command 536907575 binder: 6122:6133 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 6122:6132 ioctl c0306201 20008fd0 returned -22 binder: 6265:6270 unknown command 0 binder: 6265:6270 ioctl c0306201 2000a000 returned -22 audit_printk_skb: 6 callbacks suppressed audit: type=1400 audit(1517133755.724:15): avc: denied { transfer } for pid=6265 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder_alloc: binder_alloc_mmap_handler: 6265 20000000-20002000 already mapped failed -16 binder: 6265:6289 unknown command 0 binder: BINDER_SET_CONTEXT_MGR already set binder: 6265:6270 ioctl 40046207 0 returned -16 binder: 6265:6289 ioctl c0306201 2000a000 returned -22 binder: release 6265:6270 transaction 12 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 12, target dead binder_alloc: binder_alloc_mmap_handler: 6291 20000000-20002000 already mapped failed -16 audit: type=1400 audit(1517133755.864:16): avc: denied { create } for pid=6295 comm="syz-executor7" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517133755.904:17): avc: denied { ioctl } for pid=6295 comm="syz-executor7" path="socket:[13498]" dev="sockfs" ino=13498 ioctlcmd=660b scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517133755.954:18): avc: denied { write } for pid=6295 comm="syz-executor7" path="socket:[13498]" dev="sockfs" ino=13498 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_connector_socket permissive=1 audit: type=1400 audit(1517133756.044:19): avc: denied { ioctl } for pid=6344 comm="syz-executor4" path="socket:[13522]" dev="sockfs" ino=13522 ioctlcmd=8935 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 netlink: 3697 bytes leftover after parsing attributes in process `syz-executor3'. syz-executor3 uses obsolete (PF_INET,SOCK_PACKET) audit: type=1400 audit(1517133756.124:20): avc: denied { create } for pid=6354 comm="syz-executor1" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_scsitransport_socket permissive=1 binder: BINDER_SET_CONTEXT_MGR already set binder: 6428:6433 ioctl 40046207 0 returned -16 binder_alloc: 6428: binder_alloc_buf, no vma binder: 6428:6438 transaction failed 29189/-3, size 56-8 line 3128 binder: release 6428:6429 transaction 15 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 15, target dead binder: undelivered TRANSACTION_ERROR: 29189 binder: release 6448:6461 transaction 19 out, still active binder: undelivered TRANSACTION_COMPLETE binder: send failed reply for transaction 19, target dead binder: 6589:6610 tried to acquire reference to desc 0, got 1 instead binder: 6589:6610 BC_REQUEST_DEATH_NOTIFICATION invalid ref 0 binder: 6589:6610 BC_DEAD_BINDER_DONE 0000000000000000 not found SELinux: unknown mount option